Bug 753051

Summary: Interactive PolicyKit authentication not working
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: davidz, dominick.grift, dwalsh, eparis, jmorris, lpoetter, mgrepl, pbrobinson, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-21 16:53:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Policy to fix login in Rawhide none

Description Adam Williamson 2011-11-11 07:47:40 UTC 
In current Rawhide, interactive PK authentication isn't working in GNOME. (Haven't tested other desktops). If I try to do anything that should pop up a PK dialog - say, run virt-manager, or try to install a package with gnome-packagekit - it just acts as if it doesn't have the permissions, it never pops up the dialog asking for a password.

F16 works fine.

All's I can see changed between F16 and F17 is polkit-gnome 0.105, polkit itself hasn't changed.
Comment 1 Adam Williamson 2011-11-11 21:50:31 UTC 
Seems to be down to selinux: if I boot with enforcing=0, PK auth works.

I have these AVCs during boot when booting with enforcing=0, not sure if they're related, though:

Nov 11 13:46:50 adam kernel: [    3.922412] type=1400 audit(1321048006.822:3): avc:  denied  { write } for  pid=1 comm="systemd" name="/" dev=tmpfs ino=8408 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
Nov 11 13:46:50 adam kernel: [    3.922416] type=1400 audit(1321048006.822:4): avc:  denied  { add_name } for  pid=1 comm="systemd" name="Sea500" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
Nov 11 13:46:50 adam kernel: [    3.922420] type=1400 audit(1321048006.822:5): avc:  denied  { create } for  pid=1 comm="systemd" name="Sea500" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
Nov 11 13:46:50 adam kernel: [    6.898557] type=1400 audit(1321048009.802:6): avc:  denied  { execute } for  pid=891 comm="sd(EXEC)" name="aliasesdb" dev=dm-2 ino=1444566 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postfix_exec_t:s0 tclass=file
Nov 11 13:46:50 adam kernel: [    6.898562] type=1400 audit(1321048009.802:7): avc:  denied  { read open } for  pid=891 comm="sd(EXEC)" name="aliasesdb" dev=dm-2 ino=1444566 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postfix_exec_t:s0 tclass=file
Nov 11 13:46:50 adam kernel: [    6.898619] type=1400 audit(1321048009.802:8): avc:  denied  { execute_no_trans } for  pid=891 comm="sd(EXEC)" path="/usr/libexec/postfix/aliasesdb" dev=dm-2 ino=1444566 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postfix_exec_t:s0 tclass=file
Nov 11 13:46:50 adam kernel: [    6.899448] type=1400 audit(1321048009.802:9): avc:  denied  { ioctl } for  pid=891 comm="aliasesdb" path="/usr/libexec/postfix/aliasesdb" dev=dm-2 ino=1444566 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postfix_exec_t:s0 tclass=file
Nov 11 13:46:50 adam kernel: [    6.899457] type=1400 audit(1321048009.802:10): avc:  denied  { getattr } for  pid=891 comm="aliasesdb" path="/usr/libexec/postfix/aliasesdb" dev=dm-2 ino=1444566 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postfix_exec_t:s0 tclass=file
Nov 11 13:46:50 adam kernel: [    6.902257] type=1400 audit(1321048009.805:11): avc:  denied  { getattr } for  pid=891 comm="aliasesdb" path="/etc/aliases" dev=dm-2 ino=132532 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file
Nov 11 13:46:50 adam kernel: [    7.991926] type=1400 audit(1321048010.896:12): avc:  denied  { read } for  pid=992 comm="libvirtd" name="images" dev=sdb1 ino=12 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
Nov 11 13:46:51 adam kernel: [    8.115620] type=1400 audit(1321048011.021:13): avc:  denied  { read } for  pid=992 comm="libvirtd" name="efiboot.img" dev=sdb1 ino=52 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
Nov 11 13:46:51 adam kernel: [    8.115634] type=1400 audit(1321048011.021:14): avc:  denied  { open } for  pid=992 comm="libvirtd" name="efiboot.img" dev=sdb1 ino=52 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
Nov 11 13:46:51 adam kernel: [    8.115649] type=1400 audit(1321048011.021:15): avc:  denied  { getattr } for  pid=992 comm="libvirtd" path="/media/Sea500/images/efiboot.img" dev=sdb1 ino=52 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 2 Adam Williamson 2011-11-11 21:56:41 UTC 
selinux-policy -57 does not fix this.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 3 Daniel Walsh 2011-11-11 22:11:23 UTC 
file_t is caused by you have a disk without labels.  restorecon -R -v /media

Should fix those.

I will add policy to allow init to run aliases.db file.  

Not sure what systemd is writing to the /mnt?

But none of these are causing the problem.  I have a fealing this has something to do with consolekit.

# semanager permissive -a consolekit_t

And see if this fixes the problem?
Comment 4 Adam Williamson 2011-11-11 22:52:24 UTC 
Yes, that does fix / workaround the issue.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 5 Peter Robinson 2011-11-12 09:23:38 UTC 
If its a problem with ConsoleKit I suspect it might be this feature that's causing the issues. Adding lennart as its his feature

https://fedoraproject.org/wiki/Features/ckremoval
Comment 6 Daniel Walsh 2011-11-14 18:18:17 UTC 
Adam can you run 

semodule -DB
reboot
login
gather all AVC's that meantion consolekit, and attach them.
semodule -B

Will turn off dontaudit rules.  You probably want to clean your log files.
Comment 7 Daniel Walsh 2011-11-14 18:19:39 UTC 
Adam I would do this myself, but I have hosed up my rawhide box, due to the X Server update stuff.
Comment 8 Adam Williamson 2011-11-14 20:57:35 UTC 
I'll try and do that, yeah. Note that after a bit I noticed that the semanage 'workaround' doesn't fix everything - notably, the system gets stuck at the lock screen if you let it time out. So I'm booting with enforcing=0 for now.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 9 Daniel Walsh 2011-11-16 19:21:02 UTC 
Created attachment 534073 [details]
Policy to fix login in Rawhide

While I am not seeing this on my rawhide box, I did see some other problems without this access. (Modifications of the wireless).

Adding this access fixed the wireless, and seems like it would fix your problems.

You can test it by saving this file to a file named mypol.te

Then execute

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypol.pp
# setenforce 1

Try to login.

One of the features I am trying to add to F17 is the ability to eliminate all sys_ptrace and ptrace, via boolean.  I want to investigate if these processes actually need sys_ptrace or if this is a bug in the kernel.
Comment 10 Adam Williamson 2011-11-16 21:07:35 UTC 
Dan says the fix will be in selinux-policy -59, so I'll just wait for that.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 11 Adam Williamson 2011-11-21 23:48:47 UTC 
well, 'currentrelease' seems optimistic, as there's still no -59 build in koji.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers